The Latest in IT Security

Popular Software targeted in China

12
Jul
2011

Malware replacing Windows system file is an old trick. But replacing other application’s module is not very common due to complicated trigging requirement. In the past, we only saw some malware would modify QQ’s components to steal user’s QQ account credentials. These days, we found a malware would replace several popular applications’ modules to behave malicious.

Generally speaking, this malware will first download a configuration file which describes what file to replace and how to do it. Second, it will set up a timer to check the target application and download the malicious file to replace the original file. When the fake module is launched by main application it will behave as a clicker.

The configuration file looks like below. I commented it to make it easy to be understood:

Image1

The malware first set up two timers to keep running:

Image2

It parses the configuration file to find how to read the registry to get the target application’s information:

Image3

Image4

Then it checks the file name and file version to decide whether to replace:

Image5

If the answer is yes, it will download the associated prior modified file. Then kill the application’s task, back up the original file and replace it:

Image6

Image7

Image8

So far, malware has replaced the original file with malicious one. Now let’s have a look the fake module file. Dll main function is as follows:

Image9

It’s easy to understand. It will first add an entry into RUN key to make the application start up with the system. Then checks whether there exists a mutex ‘Pidalce’. If not, which means there’s not an infector running in the system, it will download a payload and launch it:

Image10

After that, it will add some unwelcome quick links into both Internet Explorer Favorites and desktop. In the end, it will load the original module which is backed up before in order to make the application run well.

How about the export functions? How does the fake file implement the export function to make the application run properly? Look at snapshot below:

Image11
Image12

Since we mentioned above that the fake module would load the original module, here in the fake export function, the malware will get the original export function’s address and call it to behave like the original function is called.

From the configuration file, we find that this malware will replace modules from these popular applications in China:

Thunder

PPStream

PPLive

StormPlayer

AliWangwang

TTPlayer

SogouExplorer

Maxthon

These are widely used software in China. AVG detect this malware as Clicker to keep you safe.

 

Jason Zhou & Hynek Blinka

Leave a reply


Categories

SUNDAY, DECEMBER 17, 2017

Featured

Archives

Latest Comments

Social Networks